I'm re-thinking our Shinken Monitoring Layout and about introducing realms to keep the communication between different security areas, zones and LANs to a minimum. Or better to keep the holes in the firewall between the environments, areas and LANs to a minimum. Our network is divided into two environments (internal respectively external usage), each environment is separated in areas (server w/o user access, dmz) and each area is subdivided in different application-LANs. Everything is isolated by firewalls.

Right now we've got one Shinken-"Master"-Server and two to five Poller in every area probing the servers in the different LAN-Segments of different areas, of both environments. So a connection between Master and every poller is needed. The idea is to still have the master server (arbiter/broker), but to swap the scheduler-service to a different server in each area, communicating with the slave servers (poller/reactioner) in the LAN-segments.

So I'm interested in how the different daemons are communicating with each other and which ports are really needed to be open in which direction?
With the standard ports the communication should be like that:
Arbiter -> Scheduler (DST-Port 7768)
Scheduler -> Broker (DST-Port 7722)
Scheduler -> Poller (DST-Port 7771)
Scheduler -> Reactioner (DST-Port 7772)
Reactioner -> Scheduler (DST-Port 7768)
Poller -> Scheduler (DST-Port 7768)
Arbiter -> Scheduler/Broker/Poller/Reactioner (ICMP)

But I have now clue if that is everything and why the arbiter daemon is listening for what on Port 7770? Could someone tell me if i'm completely off track or if it's logical to change the system like that?

Thanks in advance.